New Nessus Plug-In For Metasploit
Zate Berg has contributed this week the a plug-in for controlling Nessus from inside msfconsole. I do have to say he has put a lot of work in a very small amount of time learning Ruby and coding this plugin in only a few weeks. The plug-in is now part of the Development Brach of the project and several patches have been summited by him and progress has been quick.
First thing is to get the new plugin is to “svn up” to the latest development version of the project and do make sure that your Nessus server is up and running. One note do you must have already created Policies in you server and have them available to the account you will use to login to the Nessus Server.
Lets load the plugin and get and output of the commands available:
msf > load nessus[*] Nessus Bridge for Nessus 4.2.x[+] Type nessus_help for a command listing[*] Successfully loaded plugin: nessusmsf > nessus_help[+] Nessus Help[+] type nessus_help <command> for help with specific commandsCommand Help Text------- ---------Generic Commands----------------- -----------------nessus_connect Connect to a nessus servernessus_logout Logout from the nessus servernessus_help Listing of available nessus commandsnessus_server_status Check the status of your Nessus Servernessus_admin Checks if user is an adminnessus_server_feed Nessus Feed Typenessus_find_targets Try to find vulnerable targets from a reportReports Commands----------------- -----------------nessus_report_list List all Nessus reportsnessus_report_get Import a report from the nessus server in Nessus v2 formatnessus_report_hosts Get list of hosts from a reportnessus_report_host_ports Get list of open ports from a host from a reportnessus_report_host_detail Detail from a report item on a hostScan Commands----------------- -----------------nessus_scan_new Create new Nessus Scannessus_scan_status List all currently running Nessus scansnessus_scan_pause Pause a Nessus Scannessus_scan_pause_all Pause all Nessus Scansnessus_scan_stop Stop a Nessus Scannessus_scan_stop_all Stop all Nessus Scansnessus_scan_resume Resume a Nessus Scannessus_scan_resume_all Resume all Nessus ScansPlugin Commands----------------- -----------------nessus_plugin_list Displays each plugin family and the number of pluginsnessus_plugin_family List plugins in a familynessus_plugin_details List details of a particular pluginUser Commands----------------- -----------------nessus_user_list Show Nessus Usersnessus_user_add Add a new Nessus Usernessus_user_del Delete a Nessus Usernessus_user_passwd Change Nessus Users PasswordPolicy Commands----------------- -----------------nessus_policy_list List all polciiesnessus_policy_del Delete a policy
As it can be seen there are a lot of commands to choose from. According to Zate Berg not all commands are implemented and that he has 80% of them done at the time of this blog post is written. With the development version we can start playing and familiarizing ourselves with the plugin as it advances. Lets connect to our Nessus Server, this server can be local or remote:
msf > nessus_connect carlos:$ecret4blog@192.168.1.231 ok[*] Connecting to https://192.168.1.231:8834/ as carlos[*] Authenticatedmsf >
Once we have connected to our server we can check what policies have we defined and use those for performing a scan:
msf > nessus_policy_list[+] Nessus Policy ListID Name Owner visability-- ---- ----- -----------1 General carlos sharedmsf > nessus_scan_new -h[*] Usage:[*] nessus_scan_new <policy id> <scan name> <targets>[*] use nessus_policy_list to list all available policiesmsf > nessus_scan_new -1 homelab 192.168.1.1/24[*] Creating scan from policy number -1, called "homelab" and scanning 192.168.1.1/24[*] Scan started. uid is 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196
The scan started and we get an uid of 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 this ID is important because we will use this ID in next commands so we can check the status of the scan:
msf > nessus_scan_status[*] Connecting to https://192.168.1.231:8834/ as carlos[*] Authenticated[+] Running ScansScan ID Name Owner Started Status Current Hosts Total Hosts------- ---- ----- ------- ------ ------------- -----------1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 homelab carlos 15:46 Sep 26 2010 running 79 254[*] You can:[+] Import Nessus report to database : nessus_report_get <reportid>[+] Pause a nessus scan : nessus_scan_pause <scanid>msf > nessus_scan_status[*] Connecting to https://192.168.1.231:8834/ as carlos[*] Authenticated[+] Running ScansScan ID Name Owner Started Status Current Hosts Total Hosts------- ---- ----- ------- ------ ------------- -----------1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 homelab carlos 15:46 Sep 26 2010 running 239 254[*] You can:[+] Import Nessus report to database : nessus_report_get <reportid>[+] Pause a nessus scan : nessus_scan_pause <scanid>msf > nessus_scan_status[*] Connecting to https://192.168.1.231:8834/ as carlos[*] Authenticated[+] Running ScansScan ID Name Owner Started Status Current Hosts Total Hosts------- ---- ----- ------- ------ ------------- -----------1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 homelab carlos 15:46 Sep 26 2010 running 242 254[*] You can:[+] Import Nessus report to database : nessus_report_get <reportid>[+] Pause a nessus scan : nessus_scan_pause <scanid>msf > nessus_scan_status[*] Connecting to https://192.168.1.231:8834/ as carlos[*] Authenticated[+] Running ScansScan ID Name Owner Started Status Current Hosts Total Hosts------- ---- ----- ------- ------ ------------- -----------1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 homelab carlos 15:46 Sep 26 2010 running 249 254[*] You can:[+] Import Nessus report to database : nessus_report_get <reportid>[+] Pause a nessus scan : nessus_scan_pause <scanid>msf > nessus_scan_status[*] Connecting to https://192.168.1.231:8834/ as carlos[*] Authenticated[*] No Scans Running.[*] You can:[*] List of completed scans: nessus_report_list[*] Create a scan: nessus_scan_new <policy id> <scan name> <target(s)>msf > n
As it can be seen in the example above we can see the host count as they are scanned once finished we will see that the scan disappears from the status info. Lets check the results of our scan:
msf > nessus_report_list[+] Nessus Report ListID Name Status Date-- ---- ------ ----1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 homelab completed 15:52 Sep 26 2010[*] You can:[*] Get a list of hosts from the report: nessus_report_hosts <report id>msf > nessus_report_hosts[*] Usage:[*] nessus_report_hosts <report id>[*] use nessus_report_list to list all available reportsmsf > nessus_report_hosts 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196[+] Report InfoHostname Severity Sev 0 Sev 1 Sev 2 Sev 3 Current Progress Total Progress-------- -------- ----- ----- ----- ----- ---------------- --------------192.168.1.1 24 4 23 1 0 38873 38873192.168.1.100 5 0 5 0 0 38873 38873192.168.1.109 3 0 3 0 0 38873 38873192.168.1.171 214 15 61 20 133 35764 38873192.168.1.229 12 1 11 1 0 38096 38873192.168.1.231 38 6 27 5 6 38873 38873192.168.1.234 20 4 20 0 0 38873 38873192.168.1.236 28 5 26 2 0 38096 38873192.168.1.237 5 0 5 0 0 38873 38873192.168.1.240 159 15 62 12 85 38873 38873192.168.1.241 32 5 30 1 1 38096 38873192.168.1.242 31 5 29 1 1 19437 38873192.168.1.243 6 0 6 0 0 38873 38873192.168.1.244 23 6 23 0 0 38873 38873192.168.1.245 17 3 16 1 0 38873 38873[*] You can:[*] Get information from a particular host: nessus_report_host_ports <hostname> <report id>
As it can be seen from the output above I can see the number of plugins that returned positive and their count. We can now connect to our database and import the data so we can use other modules and plugins. I will connect to a SQLite DB <NOT RECOMMENDED FON PRODUCTION> I know it is buggy and not supported anymore but I will use it for simplicity for my example. Once the DB is created I import the report and parse it in to my MSF DB:
msf > db_connect msf.db[-] Note that sqlite is not supported due to numerous issues.[-] It may work, but don't count on it[*] Creating a new database file...[*] Successfully connected to the database[*] File: msf.dbmsf > nessus_report_get 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196[*] importing 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196msf >
Know that it said it finished let’s check with db_hosts the imported records:
msf > db_hostsHosts=====address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- ---------192.168.1.1 2010-09-26 20:23:07 UTC 00:0D:B9:1D:8E:B4 ASAFW.local alive 2010-09-26 20:23:07 UTC 6 22 default192.168.1.100 2010-09-26 20:23:06 UTC 00:26:BB:15:05:D8 loki.local alive 2010-09-26 20:23:06 UTC 1 5 default192.168.1.109 2010-09-26 20:23:06 UTC 7C:6D:62:E0:5E:CD darkoperator-iPad.local alive 2010-09-26 20:23:06 UTC 0 3 default192.168.1.171 2010-09-26 20:22:11 UTC 00:0C:29:A7:BD:AF alive 2010-09-26 20:22:11 UTC 15 204 default192.168.1.229 2010-09-26 20:22:09 UTC 00:23:32:34:1D:B7 AppleTV.local alive 2010-09-26 20:22:09 UTC 2 12 default192.168.1.231 2010-09-26 20:22:03 UTC 00:0C:29:EE:13:87 ubuntu.local alive 2010-09-26 20:22:03 UTC 5 33 default192.168.1.234 2010-09-26 20:22:03 UTC 00:1E:EC:A5:B9:86 pwnage01.local alive 2010-09-26 20:22:03 UTC 12 20 default192.168.1.236 2010-09-26 20:22:01 UTC 00:0C:29:A2:19:2A freenas.local alive 2010-09-26 20:22:01 UTC 6 28 default192.168.1.237 2010-09-26 20:22:01 UTC 00:0C:29:F1:5D:96 winxp01.local alive 2010-09-26 20:22:01 UTC 0 5 default192.168.1.240 2010-09-26 20:20:49 UTC 00:0C:29:F8:8F:82 win2k801.local alive 2010-09-26 20:20:49 UTC 15 154 default192.168.1.241 2010-09-26 20:20:48 UTC 00:16:CB:9F:9E:11 infidel02.local alive 2010-09-26 20:20:48 UTC 7 31 default192.168.1.242 2010-09-26 20:20:44 UTC 00:17:F2:99:D7:CF infidel03.local alive 2010-09-26 20:20:44 UTC 7 30 default192.168.1.243 2010-09-26 20:20:44 UTC 00:0C:29:25:89:66 win701.local alive 2010-09-26 20:20:44 UTC 1 6 default192.168.1.244 2010-09-26 20:20:43 UTC 00:24:8C:5B:FC:B8 Infidel01.local alive 2010-09-26 20:20:43 UTC 12 23 default192.168.1.245 2010-09-26 20:20:41 UTC 00:17:E0:3E:73:AA TSGAP01.local alive 2010-09-26 20:20:41 UTC 3 15 default
As you can see you can do a lot with the plugin and it will get better with time because Zate is now addicted like many of us to coding for the framework. Do follow him on Twitter for updates @zate.